CONDOR-2012-0003

Summary:

Condor installations that support Standard Universe jobs and run the
daemons on the submit machine as root are vulnerable to local privilege
escalation. If a user submits a job into the standard universe, the user
job may then execute code on the submit machine as the root user. If your
Condor installation does not contain the condor_shadow.std executable, then
you are not affected by this vulnerability.
CVE-2012-5390

Component

Vulnerable Versions

Platform

Availability

Fix Available

Condor standard universe shadow

7.7.3 to 7.7.6, 7.8.0 to 7.8.4, and 7.9.0

Linux

not known to be publicly available

7.8.5

Status

Access Required

Host Type Required

Effort Required

Impact/Consequences

Verified

ability to submit jobs to the condor_schedd

n/a

low

high

Fixed Date

Credit

2012-Oct-22

Zach MillerCondor team

Access Required:

ability to submit jobs

Any person who can submit standard universe jobs to the condor_schedd can
exploit this. Submissions are authenticated and are typically done
locally. However, if Condor is configured to allow remote submits, jobs
submitted remotely into the standard universe can also exploit this.

Effort Required:

low

To exploit this, an attacker just needs to know the correct sequence of
communications with the condor_shadow.std.

Impact/Consequences:

high

If an attacker is successfully able to communicate correctly with the
condor_shadow.std, they may instruct the shadow to run arbitrary code
as the root user, including spawning additional processes.

Cause:

Missing privilege check

Condor should never spawn user processes as root, and makes explicit checks
in most places to ensure this never happens. In the standard universe
shadow, an unrelated change opened a new code path where privilege checking
did not exist.

Proposed Fix:

Remove the code, as it should never be used.

Actual Fix:

As proposed.

Workaround:

If you do not need to run standard universe jobs, simply delete the
condor_shadow.std from your installation.